6641863457?profile=RESIZE_400xRansomware is unfortunately is the new normal for businesses of all segments and sizes and this malware is multiplying quickly.  More than two-dozen US organizations were attacked in recent days by a known threat group attempting to deploy a dangerous new strain of ransomware called WastedLocker.

Had the attacks succeeded, they could have resulted in millions of dollars in damages to the organizations and potentially had a major impact on supply chains in the US, Symantec said in a report on 26 June 2020.  At least 31 of its customers were targeted, suggesting to researchers the actual scope of the ransomware attacks were at a high level.  Eleven of the companies are publicly listed, and eight are in the Fortune 500.

Companies affected included five organizations in the manufacturing sector, four IT companies, and three media and telecommunications firms.  Organizations in multiple other sectors including energy, transportation, financial services, and healthcare.  In each instance, attackers were able to breach networks of targeted organizations and were in the process of deploying the ransomware when analysts detected and halted the malicious action. 

The Russian hacking group, Evil Corp group was credited with these recent attacks.[1]  They are also known as the Dridex gang and has been active since 2007 when several members previously involved with the ZeuS banking trojan switched tactics and began distributing malware.

Their initial efforts were focused on distributing the Cridex banking trojan, a malware strain that later evolved into the Dridex banking trojan, and later subsequently evolved into the Dridex multi-purpose malware toolkit.   Evil Corp, through its Dridex operation became one of the largest malware and spam botnets on the Internet.  The group distributed their own malware, but also malware for other criminal groups, along with custom spam messaging.

The group began their efforts in ransomware distribution by spreading the Locky ransomware to home consumers throughout 2016.  As the ransomware market began shifting targeting from home consumers to enterprise targets, the Evil Corp gang switched gears and after dropping the Locky strain for good, they created new custom ransomware named BitPaymer.

The group used their vast network of computers infected with the Dridex malware to look for corporate networks and then deploy BitPaymer against large enterprise targets.  The group operated BitPaymer between 2017 and 2019 when new infections began to fall off.  The reasons for the slowdown are unclear, but the drop in BitPaymer infections is likely attributed to the Dridex botnet slowing down its activity between 2017 and 2019.[2]

"The attackers behind this threat appear to be skilled and experienced, capable of penetrating some of the most well-protected corporations, stealing credentials, and moving with ease across their networks," warned Symantec.  “As such, WastedLocker is a highly dangerous piece of ransomware."

The NCC Group, which also this week published a report on the WastedLocker campaign, said its investigations reveal the ransomware has been in use since May 2020 and was likely in development several months before May.  Evil Corp. has typically targeted file servers, database services, virtual machines, and cloud environments in its ransomware campaigns.  They have also shown a tendency to disrupt or disable backup systems and related infrastructure where possible to make recovery even harder for victims, NCC Group said.

Researchers say the attackers use a JavaScript-based malware previously associated with Evil Corp., titled SocGholish, to gain an initial foothold on victim networks.  SocGholish is being distributed in the form of a zipped file via at least 150 legitimate, but previously compromised websites.  The malware masquerades as a browser update and lays the groundwork for the computer to be profiled.  The attackers have then been using PowerShell to download and execute a loader for Cobalt Strike Beacon, a penetration-testing tool that attackers often use in malicious campaigns.

This tool is being used to execute commands, inject malicious code into processes or to impersonate them, download files, and carry out other various tasks that allow the attackers to escalate privileges and gain control of the infected system.  The attackers behind WastedLocker use legitimate processes and functions, including PowerShell scripts and the Windows Management Instrumentation Command Line Utility (wmic dot exe) in their campaign. 

To deploy the ransomware itself, the attackers have been using Windows Sysinternals tool PsExec to launch a legitimate command-line tool for managing Windows Defender (mpcmdrun.exe).  This action disables scanning of all downloaded files and attachments and disables real-time monitoring.  “It is possible that the attackers use more than one technique to perform this task since NCC reported suspected use of a tool called SecTool checker for this purpose," Symantec said.

The ransomware deploys after Windows Defender and all associated services have been stopped across the organization.  "A successful attack could cripple the victim's network, leading to significant disruption to their operations and a costly clean-up operation," Symantec warned.   

Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives. Internal monitoring is common practice. However, external threats are often overlooked and can represent an early warning of impending attacks. Red Sky Alliance can provide both internal monitorings in tandem with RedXray notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting. Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com

Reporting: https://www.redskyalliance.org/
Website: https://www.wapacklabs.com/
LinkedIn: https://www.linkedin.com/company/64265941
Twitter: https://twitter.com/redskyalliance


[1] https://www.bbc.com/news/world-us-canada-53195749

[2] https://www.darkreading.com/attacks-breaches/major-us-companies-targeted-in-new-ransomware-campaign/d/d-id/1338189


E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!

Join Red Sky Alliance